Tighter Security Urged for Businesses Banking Online

An industry group representing some of nation's largest banks sent a private alert to its members last week warning about a surge in reported cybercrime targeting small to mid-sized business. The advisory, issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts.

For example, the group recommends that commercial banking customers "carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible." Such a system might be a virgin install of Windows with all the proper updates, using something like Microsoft steady state. Even smarter would be a Mac, or some flavor of Linux, or even a Live CD distribution of Linux (after shutdown, all changes are erased).

Why take such extreme precautions? The alert indicates that the sophistication, stealth, and sheer volume of malicious software being distributed these days is testing the limits of traditional anti-malware protections, such as anti-virus software.

According to the latest estimates by anti-virus maker Trend Micro, at least 253 million systems were infected with malware last year, the majority of which were the result of software lying in wait on hacked or malicious Web sites. At the rate that new malware specimens are being created - more than a million per month - Trend estimates that the comparable number PCs that will be infected with malware in 2009 will nearly double, to 491 million (image below courtesy av-test.org).

The alert warns that the attackers in some cases are using password-stealing malware designed to swipe so-called "two-factor authentication" credentials -- such as one-time passwords from scratch-off pads or battery-operated key fobs (which generate a new password roughly every minute).

"If the bank customer is using two-factor authentication, the Trojan keystroke logger may detect this and immediately send an instant message to the fraudster," the alert notes.

In early July, I wrote about Bullitt County, Ky., which lost $415,000 at the hands of money mules and a nasty infection by a new Zeus variant known to some malware analysts as "Jabberzeus." The nickname comes from the fact that it sends the stolen credentials to the attackers in real time using the Jabber instant message protocol, in a bid to snatch one-time passwords. Commercial banks often require online customers to enter these codes before initiating wire transfers. To get around this, Zeus can easily be configured to request those one-time codes up front: The malware simply re-writes the bank's home page as it is displayed in the victim's Web browser, so that the code is requested when the victim initially logs in.

Later in the month, Security Fix interviewed Gainesville, Ga. based Slack Auto Parts, which suffered about $75,000 in losses because of an infection from Ligats (also known as "Clampi"). That infection had hidden inside of their systems for more than a year, and the company's installation of AVAST! anti-virus software failed to detect it the entire time.

In Monday's story, we feature another victim - JM Test Systems, an electronics calibration company in Baton Rouge - that lost almost $100,000 in a similar, malware-related fraud attack involving money mules. The company still hasn't been able to classify the malicious software, but their copy of Trend Micro anti-virus software never saw it coming or residing on their systems, according to Happy McKnight, JM Test's controller. McKnight said an internal IT guy at the company found the malware only after running the infected system in a virtual environment, and even then the malware hid itself until the technician opened a Web browser.

Cliff Morrison, one of JM Test's co-owners, said no one in the company will be allowed to access their bank account except from a severely locked-down workstation.

"We have set up dumb terminals that are these little bitty [computers] the size of a cigar box, where as soon as you shut it down, it wipes the memory," Morrison said.

This advice is equally useful for consumers who bank online, but consumers enjoy far more protection from banking regulations than do businesses. As we state in our story about this today:

Businesses and consumers do not enjoy the same legal protections when banking online as consumers. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Universal Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

In contrast, companies that bank online are regulated under the Universal Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.
---------------------------------
Brian

I am noticing that for the last several days on both your page and also on Rob's page, that when I click on the Comments, the pages reset to the right side of the screen. It is correctable by clicking on the page reload feature, but this never occurred before. Browser is the current version of Firefox.

I wanna laugh at this 'SteadyState'. Is that the best MS can do with all their billions? It's laughable. Worse: it's still not secure because compromises that take place during a session, whilst perhaps not there in permanent storage the next time around, can still do damage *this* time around. I am as always continually boggled by the fact Microsoft continue to studiously avoid the fundamental security issues and the discussion thereof. Windows is truly unfit for use online.